Skip to content
CMMC guide

CMMC, explained for defense contractors.

What the Cybersecurity Maturity Model Certification is, who needs it, how the levels work, and what it takes to get certified — in plain English, without the acronym soup.

The basics

Start with the acronyms

What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense program that verifies defense contractors protect sensitive information. It turns the security requirements already in your contracts — chiefly NIST SP 800-171 — into a certification you must hold to win and keep DoD work.
What is CUI?
Controlled Unclassified Information (CUI) is government-created or -owned information that isn't classified but still requires protection — think technical drawings, specifications, or other sensitive program data. Handling CUI is what triggers a CMMC Level 2 requirement.
What is FCI?
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn't intended for public release. Contractors that handle only FCI generally need CMMC Level 1.
The three levels

CMMC has three levels

Which level you need depends on the most sensitive information you handle. Most defense contractors that touch CUI land at Level 2.

LevelProtectsBased onHow it’s assessed
Level 1Federal Contract Information (FCI)15 requirements (FAR 52.204-21)Annual self-assessment
Level 2Controlled Unclassified Information (CUI)110 controls (NIST SP 800-171)Third-party assessment by a C3PAO (most CUI contracts)
Level 3CUI on the highest-priority programs110 + enhanced controls (NIST SP 800-172)Government-led assessment (DIBCAC)
Who it applies to

Who needs CMMC?

CMMC flows down the entire DoD supply chain. If you’re a prime contractor — or a subcontractor at any tier — and you handle FCI or CUI, the requirement reaches you. Your prime can’t award you the work unless you can meet the level your contract specifies.

That’s why readiness has become a competitive issue, not just a compliance one: the contractors who get certified first are the ones still eligible to bid.

The underlying standards

How NIST 800-171 and DFARS fit in

NIST SP 800-171 is the catalog of 110 security controls that protect CUI. DFARS 252.204-7012 is the contract clause that has required defense contractors to implement those controls — and report a score to SPRS — for years.

CMMC doesn’t replace any of that. It adds independent verification: instead of attesting that you meet 800-171, a Level 2 contractor proves it to a certified third-party assessor.

Engineers monitoring systems in a defense operations center

The bottom line

CMMC isn’t a one-time hurdle. It’s the price of staying in the DoD supply chain.

Getting certified

The path to certification

Most contractors follow the same arc: figure out where you stand, fix what’s missing, prove it holds up, and keep it current.

  1. Assess — scope your environment and score every applicable control to find your gaps.
  2. Remediate — close gaps, write your System Security Plan (SSP), and track open items in a Plan of Action & Milestones (POA&M).
  3. Validate — run a mock assessment so your evidence is tested before the real thing.
  4. Certify & stay ready — pass your C3PAO assessment, then keep controls and evidence current for reassessment.

This is exactly the journey Fortwise runs with you — see our solutions.

The assessment

What a C3PAO looks for

A Certified Third-Party Assessment Organization (C3PAO) checks whether each control is genuinely implemented — and whether you can prove it. The deciding factor is rarely the technology; it’s the evidence: documented policies, configurations, and artifacts that map cleanly to each control objective.

Contractors who struggle usually have the controls but not the proof. Organized, control-mapped evidence is what turns a tense audit into a straightforward one.

What it costs

What CMMC costs

There’s no single price. Your total cost spans three things: remediation (fixing gaps), documentation and evidence, and the third-party assessment itself. Each scales with your company size and how much of your environment is in scope.

Independent market estimates commonly put a Level 2 assessment in the tens of thousands of dollars, with total readiness often higher. The biggest lever you control is scope — the smaller and cleaner your CUI boundary, the less everything costs. (Fortwise pricing is quoted to your environment; see pricing.)

CMMC, answered

Frequently asked questions about CMMC

Does my company need CMMC?

If you hold DoD contracts — as a prime or at any tier of the supply chain — and handle FCI or CUI, you will need CMMC. Contractors handling only FCI typically need Level 1; those handling CUI typically need Level 2.

How is CMMC related to NIST SP 800-171?

CMMC Level 2 is built directly on NIST SP 800-171's 110 controls. If you're already subject to DFARS 252.204-7012, you've been required to meet 800-171 for years — CMMC adds independent verification that you actually do.

How long does it take to get CMMC-ready?

It depends on your starting posture and the size of your environment. Most contractors need to close real gaps — remediation, documentation, and evidence — before an assessment. The fastest way to scope your timeline is a readiness assessment.

How much does CMMC cost?

Costs vary widely by company size and scope, and include remediation, documentation, and the third-party assessment itself. Independent market estimates put a Level 2 assessment in the tens of thousands of dollars, with total compliance often higher — which is why scoping efficiently matters.

Free 30-minute readiness call

Not sure where you stand?

Book a 30-minute readiness call. We'll map your gaps to the level you need and give you a clear path to certification.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI